[check_postgres] more secure nagios checks
Greg Sabino Mullane
greg at endpoint.com
Mon Mar 9 16:54:21 UTC 2009
Robert Treat wrote:
> I've got a system that has some relativly high security needs that I want to
> use check_postgres / nagios on. Currently some the checks I want to use
> require superuser acess (like check_postgres_wal_files), but I'd rather not
> put a superuser account into my nagios config. In theory it would be easy to
> wrap the checks into a security definer function and have a non-super user
> call them, but I'm not really eager to make a quasi-fork of check postgres.
> So, before I do that, I thought I'd ask if anyone here has had a similar need
> and come up with a work around for that? Alternativly, if I do have to go
> through rewriting the checks, does anyone have an interest in using them? TIA
This should be possible by playing with the search_path, as CP explicitly does
/not/ hardcode the schema name before the internal tables and functions. Thus,
you can call it with a non-superuser that has a "something before pg_catalog"
search path such that foobar.pg_ls_dir is used by CP. For an example of this in
action, see some of the new unit tests, specifically 02backends.t, which creates
a "fake" pg_stat_activity table to do the testing with.
If this *does* work :), please submit a docs patch.
--
Greg Sabino Mullane greg at endpoint.com
End Point Corporation
PGP Key: 0x14964AC8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 226 bytes
Desc: OpenPGP digital signature
Url : https://mail.endcrypt.com/pipermail/check_postgres/attachments/20090309/08d7e995/attachment.bin
More information about the Check_postgres
mailing list